Mercurial > vim

diff src/testdir/test_vim9_script.vim @ 34105:c4ad4778946c v9.1.0017

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.1.0017: [security]: use-after-free in eval1_emsg() Commit: https://github.com/vim/vim/commit/28d71b566a29ceea3a2d05bcee9264ed5d630d42 Author: Yegappan Lakshmanan <yegappan@yahoo.com> Date: Fri Jan 12 17:21:55 2024 +0100 patch 9.1.0017: [security]: use-after-free in eval1_emsg() Problem: use-after-free in eval1_emsg() when an empty line follows a lambda (by @yu3s) Solution: only set evalarg->eval_using_cmdline = FALSE when the *arg pointer is not null fixes: #13833 closes: #13841 Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Fri, 12 Jan 2024 17:30:06 +0100
parents 07ac92709982
children 75f7b311ee25
line wrap: on
line diff
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -4906,6 +4906,31 @@ def Test_for_stmt_space_before_type()
   v9.CheckSourceFailure(lines, 'E1059: No white space allowed before colon: :number in range(10)', 2)
 enddef
 
+" This test used to cause an use-after-free memory access
+def Test_for_empty_line_after_lambda()
+  var lines =<< trim END
+    vim9script
+    echomsg range(0, 2)->map((_, v) => {
+      return 1
+    })
+
+    assert_equal('[1, 1, 1]', v:statusmsg)
+  END
+  v9.CheckSourceSuccess(lines)
+
+  lines =<< trim END
+    vim9script
+    echomsg range(0, 1)->map((_, v) => {
+      return 1
+    }) range(0, 1)->map((_, v) => {
+      return 2
+    }) # comment
+
+    assert_equal('[1, 1] [2, 2]', v:statusmsg)
+  END
+  v9.CheckSourceSuccess(lines)
+enddef
+
 " Keep this last, it messes up highlighting.
 def Test_substitute_cmd()
   new